Windows 7 RTM Review: Improvements But Security Issues Remain

Applications can be approved in several different ways. For granular application identification, I could base policy on an application’s hash (best for uncertified applications), on an application’s publisher (for signed applications) or on the file system path to the executable – either the file or the folder.

Windows 7 makes it easy to get started because the Group Policy editor includes a couple of simple ways to generate rules. I could create default rules with one click, creating basic rules: allowing everyone to run programs located in the Windows and Program Files directories, and allowing local Administrators to run all files.

This usage scenario makes an interesting companion to UAC and least-privilege computing. If AppLocker means a limited-rights user can run only programs found in permitted folders, and a tight UAC implementation bars users from writing to those folders, then it becomes difficult to use social engineering to trick someone into mistakenly installing bad or unwanted code.

For more granular controls, administrators can automatically generate rules. For example, I could specify a folder (such as Program Files), and a wizard would identify all executable content of the appropriate type, basing the policy either on a hash or on the path. I could further limit the scope of the policy by allowing only digitally signed executables.

These kinds of granular rules are more effective and restrictive, but keep in mind that they will require much more maintenance, as patching or upgrades will necessitate a refresh of policy settings.

One potential problem with AppLocker is that it requires one special service to be running to provide enforcement – the Application Identity service. First of all, administrators must make sure that the service starts automatically, and then they must make sure the service continues running.

Often, security providers provide additional watchdog protections to ensure that a critical security service stays up in the face of attack, but I’m not sure Windows takes those measures. It is not noticeable when the service is not active but AppLocker policies are present.

Disk encryption with BitLocker

Windows 7 adds removable disk encryption capabilities to the most expensive editions – Ultimate and Enterprise. Called BitLocker To Go, the utility builds encryption and key management into the USB drive itself, allowing easy sharing of protected data with other Windows 7 instances.Users need only enter the password they specified when they first encrypted the drive.

BitLocker To Go-protected drives can also be accessed on older versions of Windows, as the utility includes a reader on the USB stick itself. When inserted into an Windows XP- or Vista-based system, the drive shows the reader to the user.

Run the reader, enter the protection password, and you can read the data or copy it locally. When inserted in a Mac, on the other hand, you see dozens of files, but you can’t access the protected content or manipulate the visible files.